Role definitions

Role types

Consider the following key differences between the different role types when you assign roles:

ClusterRole: a Kubernetes RBAC role at the cluster scope in admin or user clusters.
Role: a Kubernetes RBAC role at the namespace scope in admin or user clusters.
ProjectRole: a custom resource definition (CRD) with permission defined and is bound to user clusters and namespaces. Project roles propagate to user clusters as a Role.
ProjectClusterRole: a CRD with permission defined, that propagates to all user clusters as a ClusterRole there.

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

Name: The name of a role displayed in the user interface (UI).
Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
Level: The specification of whether this role is scoped by the organization or a project.
Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or OrganizationRole.
Binding type: The type of binding that you must apply to this role.
Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
Escalates to: The specification of whether this role escalates to other roles or not.

Predefined identity and access roles tables for PA and AO

The following tables provide details about the permissions assigned to each predefined role. There are separate tables for each persona:

PA Persona, predefined identity and access roles

PA persona
Name	Kubernetes resource name	Initial admin	Level	Type
Organization IAM Admin	`organization-iam-admin`	True	Organization	`ClusterRole`
AI Platform Admin	`ai-platform-admin`	False	Organization	`ClusterRole`
Backup Repository Admin	`backup-repository-admin`	False	Organization	`ClusterRole`
Billing Viewer	`billing-viewer`	False	Organization	`ClusterRole`
Bucket Admin	`bucket-admin`	False	Organization	`ClusterRole`
Bucket Object Admin	`bucket-object-admin`	False	Organization	`ClusterRole`
Bucket Object Viewer	`bucket-object-viewer`	False	Organization	`ClusterRole`
DR Backup Admin	`dr-backup-admin`	False	Organization	`ClusterRole`
DR System Admin	`dr-system-admin`	False	Organization	`Role`
Flow Log Admin	`flowlog-admin`	False	Organization	`ClusterRole`
Flow Log Viewer	`flowlog-viewer`	False	Organization	`ClusterRole`
GDCH Restrict By Attributes Policy Admin	`gdchrestrictbyattributes-policy-admin`	False	Organization	`ClusterRole`
GDCH Restricted Service Policy Admin	`gdchrestrictedservice-policy-admin`	False	Organization	`ClusterRole`
IdP Federation Admin	`idp-federation-admin`	False	Organization	`Role`
KMS Rotation Job Admin	`kms-rotationjob-admin`	False	Organization	`ClusterRole`
Log Querier	`log-query-api-querier`	False	Project	`Role`
Marketplace Service Editor	`marketplace-service-editor`	False	Organization	`ClusterRole`
Org Network Policy Admin	`org-network-policy-admin`	False	Organization	`Role`
Organization Backup Admin	`organization-backup-admin`	False	Organization	`ClusterRole`
Organization IAM Viewer	`organization-iam-viewer`	False	Organization	`ClusterRole`
Organization DB Admin	`organization-db-admin`	False	Organization	`ClusterRole`
Organization Upgrade Admin	`organization-upgrade-admin`	False	Organization	`ClusterRole`
Organization Upgrade Viewer	`organization-upgrade-viewer`	False	Organization	`ClusterRole`
Project Creator	`project-creator`	False	Organization	`ClusterRole`
Project Editor	`project-editor`	False	Organization	`ClusterRole`
SIEM Export Org Creator	`siemexport-org-creator`	False	Project	`Role`
SIEM Export Org Editor	`siemexport-org-editor`	False	Project	`Role`
SIEM Export Org Viewer	`siemexport-org-viewer`	False	Project	`Role`
Transfer Appliance Request Creator	`transfer-appliance-request-creator`	False	Organization	`ClusterRole`
User Cluster Admin	`user-cluster-admin`	False	Organization	`ClusterRole`
User Cluster Backup Admin	`user-cluster-backup-admin`	False	Organization	`OrganizationRole`
User Cluster Developer	`user-cluster-developer`	False	Organization	`OrganizationRole`
User Cluster Node Viewer	`user-node-viewer`	False	Organization	`OrganizationRole`

PA persona, predefined identity, and access roles

PA persona
Name	Binding type	Org admin cluster permissions	User cluster permissions	Escalates to
Organization IAM Admin	`ClusterRoleBinding`	`RoleBinding`, `ClusterRoleBinding`, `Role`, `ClusterRole`, `ProjectRole`, `OrganizationClusterRole`, `ProjectRoleBinding`, and `OrganizationClusterRoleBinding`: Create, read, update, and delete List project namespace	N/A	Project IAM Admin and all other PA roles
AI Platform Admin	`RoleBinding`	AI platform user interface (UI): Read and write	N/A	N/A
Backup Repository Admin	`ClusterRoleBinding`	Backup repositories: Create, read, and delete Cluster information: Read	N/A	N/A
Billing Viewer	`ClusterRoleBinding`	SKU descriptions, machine inventory, fleets, invoices, and configs: Read	N/A	N/A
Bucket Admin	`ClusterRoleBinding`	Bucket and objects: Read and write	N/A	N/A
Bucket Object Admin	`ClusterRoleBinding`	Bucket: Read Objects: Read and write	N/A	N/A
Bucket Object Viewer	`ClusterRoleBinding`	Bucket and objects: Read	N/A	N/A
DR Backup Admin	`ClusterRoleBinding`	`BackupRepositories` and `BackupPlans` resources: Read, create, patch, and delete `Backups`, `ManualBackupRequests`, and `ServiceEntries` resources: Read	N/A	N/A
DR System Admin	`RoleBinding`	Secrets, buckets, roles, rolebindings, and service accounts: Read and write	N/A	N/A
Flow Log Admin	`ClusterRoleBinding`	Flow log resources: Read and write	N/A	N/A
Flow Log Viewer	`ClusterRoleBinding`	Flow log resources: Read	N/A	N/A
GDCH Restrict By Attributes Policy Admin	`ClusterRoleBinding`	GDCH restricted attributes policies: Create, edit, and delete	N/A	N/A
GDCH Restricted Service Policy Admin	`ClusterRoleBinding`	GDCH restricted service policies: Create, edit, and delete	N/A	N/A
IdP Federation Admin	`RoleBinding`	Identity provider configs and secrets: Create, read, update, patch, and delete	N/A	N/A
KMS Rotation Job Admin	`ClusterRoleBinding`	`RotationJob` resources: Create, read, update, patch, and delete	N/A	N/A
Log Querier	`RoleBinding`	Log Query API project logs: Read	N/A	N/A
Marketplace Service Editor	`ClusterRoleBinding`	Marketplace services: Read, update, and delete Cluster information: Read	N/A	N/A
Org Network Policy Admin	`RoleBinding`	`OrganizationNetworkPolicy` in `platform` namespace: Create, read, update, and delete	N/A	N/A
Organization Backup Admin	`ClusterRoleBinding`	`BackupRepositoryManagers`, backup plans, manual backup requests, delete backup requests, backup repositories, VM backup templates, VM backup requests, VM restore requests, and VM delete backup requests: Create, read, and delete Secrets: Create Volume backups and cluster infos: Read VM backup plans, VM backups, VM restores: Read and delete	N/A	N/A
Organization IAM Viewer	`ClusterRoleBinding`	Role-based access control (RBAC) objects: Read `OrganizationClusterRole` and `OrganizationClusterRoleBinding`: Read	N/A	N/A
Organization DB Admin	`ClusterRoleBinding`	Secrets, database versions, flags, maintenance policies, software libraries, database project properties: Read Backup plans and database clusters: Create, read, update, and delete Imports, restores, and failovers: Create, read, and delete Migrations and external servers: Create, read, update, delete, and patch	N/A	N/A
Organization Upgrade Admin	`ClusterRoleBinding`	Maintenance windows: Get, list, watch, update, and patch	N/A	N/A
Organization Upgrade Viewer	`ClusterRoleBinding`	Maintenance windows: Get, list, and watch	N/A	N/A
Project Creator	`ClusterRoleBinding`	Project custom resources (CR): Read and create Fleet CR: Read and create Clusters: Read ATAT portfolio secret: Read, view, and update	N/A	N/A
Project Editor	`ClusterRoleBinding`	Project custom resources (CR): Read, delete, patch, update, and view Fleet CR: Read and delete Cluster CR: Read	N/A	N/A
SIEM Export Org Creator	`RoleBinding`	`SIEMOrgForwarder` custom resources and secrets: Get, create, and read	N/A	N/A
SIEM Export Org Editor	`RoleBinding`	`SIEMOrgForwarder` custom resources and secrets: Get, read, update, delete, and patch	N/A	N/A
SIEM Export Org Viewer	`RoleBinding`	`SIEMOrgForwarder` custom resources and secrets: Read	N/A	N/A
Transfer Appliance Request Creator	`ClusterRoleBinding`	`TransferApplianceRequest` custom resource (CR): Read and create	N/A	N/A
User Cluster Admin	`ClusterRoleBinding`	`AddressPoolClaims`: Create, read, update, and delete `UserClusterUpgrade`: Read and write `UserClusterMetadata`, `ClusterBgpRouters`, `InventoryMachines`, and project custom resources (CR): Read `CidrClaims`: Create, read, update, and delete `Namespace`: Create and delete `ClusterCidrConfigs` and clusters: Create, read, update, patch, and delete `NodeUpgrades`: Create, read, patch, and update	`Clusters` and `NodePoolClaims`: Read and write `NodePools`, `MachineClasses`, `VirtualMachineTypes`, and `ClusterInfos`: Read	N/A
User Cluster Backup Admin	`OrganizationRoleBinding`	N/A	Backup and restore plans, manual backup and restore requests, delete backup requests, restores, and backup repositories: Create, read, delete, update, and patch Backups, volume backups, and volume restores: Read `ClusterInfo` and namespaces: Read	N/A
User Cluster Developer	`OrganizationRoleBinding`	N/A	Clusters: Read and write	N/A
User Cluster Node Viewer	`OrganizationRoleBinding`	N/A	Clusters: Read	N/A

AO Persona, predefined identity and access roles

AO persona
Name	Kubernetes resource name	Initial admin	Level	Type
Project IAM Admin	`project-iam-admin`	True	Project	`Role`
AI OCR Developer	`ai-ocr-developer`	False	Project	`Role`
AI Platform Viewer	`ai-platform-viewer`	False	Project	`Role`
AI Speech Developer	`ai-speech-developer`	False	Project	`Role`
AI Translation Developer	`ai-translation-developer`	False	Project	`Role`
Artifact Management Admin	`artifact-management-admin`	False	Project	`Role`
Artifact Management Editor	`artifact-management-editor`	False	Project	`Role`
Backup Creator	`backup-creator`	False	Project	`ProjectRole`
Dashboard Editor	`dashboard-editor`	False	Project	`Role`
Dashboard Viewer	`dashboard-viewer`	False	Project	`Role`
KMS Admin	`kms-admin`	False	Project	`Role`
KMS Creator	`kms-creator`	False	Project	`Role`
KMS Developer	`kms-developer`	False	Project	`Role`
KMS Key Export Admin	`kms-keyexport-admin`	False	Project	`Role`
KMS Key Import Admin	`kms-keyimport-admin`	False	Project	`Role`
KMS Viewer	`kms-viewer`	False	Project	`Role`
Kubernetes Network Policy Admin	`k8s-networkpolicy-admin`	False	Project	`ProjectRole`
Marketplace Editor	`marketplace-editor`	False	Project	`Role`
MonitoringRule Editor	`monitoringrule-editor`	False	Project	`Role`
MonitoringRule Viewer	`monitoringrule-viewer`	False	Project	`Role`
MonitoringTarget Editor	`monitoringtarget-editor`	False	Project	`Role`
MonitoringTarget Viewer	`monitoringtarget-viewer`	False	Project	`Role`
Namespace Admin	`namespace-admin`	False	Project	`ProjectRole`
ObservabilityPipeline Editor	`observabilitypipeline-editor`	False	Project	`Role`
ObservabilityPipeline Viewer	`observabilitypipeline-viewer`	False	Project	`Role`
Project Bucket Admin	`project-bucket-admin`	False	Project	`Role`
Project Bucket Object Admin	`project-bucket-object-admin`	False	Project	`Role`
Project Bucket Object Viewer	`project-bucket-object-viewer`	False	Project	`Role`
Project Network Policy Admin	`project-networkpolicy-admin`	False	Project	`Role`
Project DB Admin	`project-db-admin`	False	Project	`Role`
Project DB Editor	`project-db-editor`	False	Project	`Role`
Project DB Viewer	`project-db-viewer`	False	Project	`Role`
Project Viewer	`project-viewer`	False	Project	`Role`
Project VirtualMachine Admin	`project-vm-admin`	False	Project	`Role`
Project VirtualMachine Image Admin	`project-vm-image-admin`	False	Project	`Role`
Secret Admin	`secret-admin`	False	Project	`Role`
Secret Viewer	`secret-viewer`	False	Project	`Role`
Service Configuration Admin	`service-configuration-admin`	False	Project	`Role`
Service Configuration Viewer	`service-configuration-viewer`	False	Project	`Role`
Workbench Notebooks Admin	`workbench-notebooks-admin`	False	Project	`Role`
Workbench Notebooks Viewer	`workbench-notebooks-viewer`	False	Project	`Role`

AO persona, predefined identity, and access roles

AO persona
Name	Binding type	Org admin cluster permissions	User cluster permissions	Escalates to
Project IAM Admin	`RoleBinding`	`RoleBinding`, `ClusterRoleBinding`, `Role`, `ClusterRole`, `ProjectRole`, `ProjectClusterRole`, `ProjectRoleBinding`, and `ProjectClusterRoleBinding`: Create, read, update, delete, and bind `ProjectServiceAccount`: Create, read, update, and delete List project namespace	N/A	All other AO roles
AI OCR Developer	`RoleBinding`	OCR resources: Read and write	N/A	N/A
AI Speech Developer	`RoleBinding`	Speech resources: Read and write	N/A	N/A
AI Translation Developer	`RoleBinding`	Translation resources: Read and write	N/A	N/A
Backup Creator	`ProjectRoleBinding`	N/A	Manual backups and restores: Create, read, and delete Backups, restores, backup plans, and restore plans, volume backups, volume restores, delete backup requests: Read	N/A
Dashboard Editor	`RoleBinding`	`Dashboard` custom resources: Get, read, create, update, delete, and patch	N/A	N/A
Dashboard Viewer	`RoleBinding`	`Dashboard`: Get and read	N/A	N/A
KMS Admin	`RoleBinding`	`AEADKey`: Create, read, update, delete, patch, encrypt, and decrypt `SigningKey`: Create, read, update, delete, patch, and sign `KeyImport` and `KeyExport`: Read	N/A	N/A
KMS Creator	`RoleBinding`	`AEADKey` and `SigningKey`: Create and read	N/A	N/A
KMS Developer	`RoleBinding`	`AEADKey` in the project namespace: Read, encrypt, and decrypt `SigningKey` in the project namespace: Read and sign	N/A	N/A
KMS Key Export Admin	`RoleBinding`	`KeyExport` resource: Create, read, update, patch, and delete	N/A	N/A
KMS Key Import Admin	`RoleBinding`	`KeyImport` resource: Create, read, update, patch, and delete	N/A	N/A
KMS Viewer	`RoleBinding`	`AEADKey`, `SigningKey`, `KeyImport`, `KeyExport`: Read	N/A	N/A
Kubernetes Network Policy Admin	`ProjectRoleBinding`	N/A	Kubernetes network policies: Read and write in the user cluster	N/A
Marketplace Editor	`RoleBinding`	N/A	Service instances: Create, update, and delete	N/A
MonitoringRule Editor	`RoleBinding`	`MonitoringRule` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringRule Viewer	`RoleBinding`	`MonitoringRule` custom resources: Read	N/A	N/A
MonitoringTarget Editor	`RoleBinding`	`MonitoringTarget` custom resources: Create, read, update, delete, and patch	N/A	N/A
MonitoringTarget Viewer	`RoleBinding`	`MonitoringTarget` custom resources: Read	N/A	N/A
Namespace Admin	`ProjectRoleBinding`	N/A	All resources: Read and write access in the project namespace, excluding the system cluster	N/A
ObservabilityPipeline Editor	`RoleBinding`	`ObservabilityPipeline` resources: Get, read, create, update, delete, and patch	N/A	N/A
ObservabilityPipeline Viewer	`RoleBinding`	`ObservabilityPipeline` resources: Get and read	N/A	N/A
Project Bucket Admin	`RoleBinding`	Bucket: Read and write in the project namespace	N/A	N/A
Project Bucket Object Admin	`RoleBinding`	Bucket: Read Objects: Read and write	N/A	N/A
Project Bucket Object Viewer	`RoleBinding`	Bucket and objects: Read	N/A	N/A
Project Network Policy Admin	`RoleBinding`	Project network policies: Read and write in the project namespace	N/A	N/A
Project DB Admin	`RoleBinding`	Database versions, flags, maintenance policies, software libraries, and database project properties: Read Backup plans and database clusters: Create, read, update, and delete Imports, exports, and restores: Create, read, and delete Secrets: Create, delete, and update Migrations and external servers: Create, read, update, delete, and patch	N/A	N/A
Project DB Editor	`RoleBinding`	Database versions, flags, maintenance policies, software libraries, backup plans, and restores: Read Imports: Create, read, and delete Database clusters: Read and update Secrets: Create and delete	N/A	N/A
Project DB Viewer	`RoleBinding`	Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read	N/A	N/A
Project Viewer	`RoleBinding`	All resources in the project namespace: Read	N/A	N/A
Project VirtualMachine Admin	`RoleBinding`	Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete Virtual machine restart: Put Virtual machine images, backup plans, and backup plan templates: Read	N/A	N/A
Project VirtualMachine Image Admin	`RoleBinding`	VM images: Read VM image imports: Read and write	N/A	N/A
Secret Admin	`RoleBinding`	Kubernetes secrets: Read, create, update, delete, and patch	N/A	N/A
Secret Viewer	`RoleBinding`	Kubernetes secrets: Read	N/A	N/A
Service Configuration Admin	`RoleBinding`	`ServiceConfigurations`: Read and write	N/A	N/A
Service Configuration Viewer	`RoleBinding`	`ServiceConfigurations`: Read	N/A	N/A
Workbench Notebooks Admin	`RoleBinding`	N/A	Notebook custom resources (CR) in the project namespace: Create, read, update, and delete `ClusterInfo` objects: Read	N/A
Workbench Notebooks Viewer	`RoleBinding`	N/A	Notebook custom resources (CR) in the project namespace: Read	N/A

Common predefined identity and access roles

Common roles
Name	Kubernetes resource name	Initial admin	Level	Type
AI Platform Viewer	`ai-platform-viewer`	False	Project	`Role`
DB UI Viewer	`db-ui-viewer`	False	Project	`ClusterRole`
DB Options Viewer	`db-options-viewer`	False	Project	`ClusterRole`
DNS Suffix Viewer	`dnssuffix-viewer`	False	Organization	`Role`
Marketplace Service Viewer	`marketplace-service-viewer`	False	Project	`ClusterRole`
Marketplace Viewer	`marketplace-viewer`	False	Project	`ClusterRole`
Pricing Calculator User	`pricingcalculator-user`	False	Project	`ClusterRole`
Project Discovery Viewer	`projectdiscovery-viewer`	False	Project	`ClusterRole`
Public Image Viewer	`public-image-viewer`	False	Organization	`Role`
Virtual Machine Type Viewer	`virtualmachinetype-viewer`	True	Organization	`OrganizationRole`
VM Type Viewer	`vmtype-viewer`	False	Organization	`Role`

Common predefined identity and access roles

Common roles
Name	Binding type	Admin cluster permissions	User cluster permissions	Escalates to
AI Platform Viewer	`RoleBinding`	Pre-trained services: Read	N/A	N/A
DB Options Viewer	`ClusterRoleBinding`	DBS configurations: Read	N/A	N/A
DB UI Viewer	`ClusterRoleBinding`	DBS UI configurations: Read	N/A	N/A
DNS Suffix Viewer	`RoleBinding`	DNS suffix config maps: Read	N/A	N/A
Marketplace Service Viewer	`ClusterRoleBinding`	Marketplace services: Read	N/A	N/A
Marketplace Viewer	`ClusterRoleBinding`	Service versions and service instances: Read	N/A	N/A
Pricing Calculator User	`ClusterRoleBinding`	N/A	`SkuDescriptions`: Read	N/A
Project Discovery Viewer	`ClusterRoleBinding`	Projects: Read	N/A	N/A
Public Image Viewer	`RoleBinding`	VM images: Read	N/A	N/A
VM Type Viewer	`ClusterRoleBinding`	VM types: Read	N/A	N/A